Mobile Malware Alert: SparkKitty Spyware Discovered Targeting Crypto Via Images
Security researchers have uncovered a new mobile spyware campaign, dubbed SparkKitty, actively targeting both iOS and Android users. Believed to be closely related to the previously identified SparkCat operation, SparkKitty shares a core objective: compromising victims’ cryptocurrency assets, particularly by stealing sensitive information like crypto wallet recovery phrases often stored as images on devices.
The campaign has been operational since at least February 2024 and has managed to bypass security measures to infiltrate official distribution channels like the App Store and Google Play, in addition to spreading through unofficial sources.
Origins and Distribution Methods
The investigation into SparkKitty began with the discovery of suspicious online stores promoting modified versions of popular apps, such as TikTok, for Android. These modified apps contained additional code that embedded links to dubious online shops within the app interface. While initially appearing to be a simple scam, deeper analysis of the distribution pages revealed code suggesting a parallel effort to distribute iOS applications.
This led to the discovery of websites mimicking the App Store, designed to trick iPhone users into downloading and installing malicious apps. Since iOS typically prevents installation from third-party sources, the attackers exploit Apple’s Enterprise provisioning profiles. These profiles, intended for organizations to distribute internal apps, can be installed on any device after user interaction, bypassing the standard App Store review process and allowing unsigned or malicious apps to run. Attackers leveraged profiles linked to seemingly legitimate entities to install their malicious TikTok mods and other compromised applications.
Beyond these unofficial sites, researchers found SparkKitty embedded within apps distributed directly through Google Play and the App Store. While Google and Apple were notified and subsequently removed these specific malicious applications (one notable infected app on Google Play was a messaging app with crypto features downloaded over 10,000 times, and an infected App Store app was a crypto information tracker), their temporary presence highlights the threat actor’s ability to breach official store defenses.
Technical Analysis: How SparkKitty Operates
SparkKitty employs distinct technical approaches for each platform, but both are designed to ultimately gain access to and exfiltrate user photos.
iOS Implementation
On iOS, the malicious payload is often delivered disguised as legitimate development frameworks (like AFNetworking.framework or Alamofire.framework) or obfuscated libraries (such as libswiftDarwin.dylib or modified versions of libcrypto.dylib). In some cases, the malicious code is embedded directly into the infected app’s main body.
Instead of modifying standard functions, the malware authors cleverly use Objective-C’s +load selector, which is automatically called when a class is loaded. This allows the malicious code to execute early in the app’s lifecycle. The malware checks for a specific key/value in the app’s configuration (Info.plist). If it matches, it proceeds to decrypt configuration data fetched from external URLs or UserDefaults using AES-256 in ECB mode with embedded keys. This decrypted data provides command-and-control (C2) server addresses.
Before attempting to steal photos, the malware contacts a C2 server to request permission (via an /api/getImageStatus endpoint). Once authorized, it requests access to the user’s photo gallery and registers a callback to monitor for any changes. The core malicious function then exfiltrates all accessible photos that haven’t been previously uploaded, maintaining a local database to track stolen images. Photos are sent to the C2 server via PUT requests (/api/putImages), along with device and user identifiers.
Some highly obfuscated iOS variants, including modified libcrypto.dylib samples, also load encrypted C2 addresses and send device data using the same encryption methods, further linking them to the campaign, although the exact photo-sending trigger in these specific samples wasn’t fully determined.
Android Implementation
The Android version of the SparkKitty Trojan exists in both Java and Kotlin implementations. Notably, the Kotlin variant functions as a malicious Xposed module, hooking into app entry points.
Similar to the iOS version, Android samples fetch and decrypt configuration files containing C2 addresses, also using AES-256 ECB encryption. Communication status and photo upload permission are checked via requests to endpoints like /api/anheartbeat.
The image theft on Android involves a multi-stage process. After confirming upload permission from the C2, the malware checks a specific file on external storage (/sdcard/aray/cache/devices/.DEVICES). This file likely contains a hashed device identifier. Based on the content of this file, the malware might either upload all images from the gallery or, in some observed instances, upload only the third image from the end of an alphabetically sorted list – a behavior suspected to be related to debugging. Images and device information are uploaded via PUT requests to the C2 (/api/putDataInfo).
The Xposed module variants include an interesting feature: they attempt to connect to multiple C2 addresses and select the one with the fastest response time.
Connecting the Dots to SparkCat
Researchers are moderately confident that SparkKitty is a direct evolution or related campaign to the earlier SparkCat stealer. Several factors support this connection:
Shared Frameworks: Some Android apps infected with SparkKitty were built using the same underlying framework observed in apps infected with SparkCat.
Overlapping Apps: Specific infected Android applications were found in both the SparkCat and SparkKitty campaigns.
Matching Debug Symbols: Analysis of malicious iOS frameworks in both campaigns revealed identical debug file paths originating from the attackers’ systems, pointing to shared build environments and potentially the same development team.
Methodology Evolution: The original SparkCat campaign, active since at least March 2024 (overlapping with SparkKitty’s Feb 2024 start), pioneered the technique of using Optical Character Recognition (OCR) to specifically scan images for cryptocurrency wallet recovery phrases before exfiltrating them. While SparkKitty often opts for indiscriminate photo theft, the underlying technical capability and focus on images, combined with the crypto theme, strongly suggest a shared origin and a potential broadening of tactics.
Campaign Goals, Targets, and Scope
While SparkKitty’s photo-stealing is less specifically targeted via OCR than SparkCat’s original implementation, the campaign’s context points heavily towards financial motivation related to cryptocurrency. Evidence includes:
Embedding a crypto-only store within a compromised TikTok app.
Finding the spyware in several explicitly crypto-themed applications available in official stores (e.g., 币coin, SOEX messaging app).
Distribution through a network of app download platforms that also push scam and Ponzi scheme PWAs linked to cryptocurrency fraud.
Based on the types of infected apps (Chinese gambling games, TikTok mods, adult games) and distribution sources, the primary targets appear to be users in Southeast Asia and China. However, the malware’s technical design lacks geographical limitations, meaning users in any region could potentially be affected.
Takeaways
The SparkKitty campaign serves as a stark reminder that sophisticated mobile malware continues to pose a significant threat, successfully infiltrating official app stores like Google Play and the App Store by bypassing their review processes. Threat actors are also exploiting alternative distribution methods, such as leveraging misused iOS Enterprise provisioning profiles, to reach users outside official channels.
While technically not overly complex, SparkKitty’s persistence since early 2024 and its ability to steal potentially all user photos make it dangerous. Although the core motivation seems tied to crypto asset theft (likely seeking seed phrases or private keys stored as images), the indiscriminate nature of the photo exfiltration means other sensitive personal data could also be compromised.
Users, particularly in targeted regions, should exercise extreme caution regarding app permissions, especially requests for photo gallery access from apps where it seems unnecessary. Avoiding storing sensitive information, like crypto recovery phrases, as easily accessible images (screenshots, photos) is crucial. Using reputable mobile security software can help detect and prevent such threats.
Indicators of Compromise
(List of hashes, links, C2s, and paths as provided in the original article content.)*
Infected Android apps
b4489cb4fac743246f29abf7f605dd15
e8b60bf5af2d5cc5c501b87d04b8a6c2
aa5ce6fed4f9d888cbf8d6d8d0cda07f
3734e845657c37ee849618e2b4476bf4
fa0e99bac48bc60aa0ae82bc0fd1698d
e9f7d9bc988e7569f999f0028b359720
a44cbed18dc5d7fff11406cc403224b9
2dc565c067e60a1a9656b9a5765db11d
66434dd4402dfe7dda81f834c4b70a82
d851b19b5b587f202795e10b72ced6e1
ce49a90c0a098e8737e266471d323626
cc919d4bbd3fb2098d1aeb516f356cca
530a5aa62fdcca7a8b4f60048450da70
0993bae47c6fb3e885f34cb9316717a3
5e15b25f07020a5314f0068b474fff3d
1346f987f6aa1db5e6deb59af8e5744a
Infected iOS apps
21ef7a14fee3f64576f5780a637c57d1
6d39cd8421591fbb0cc2a0bce4d0357d
c6a7568134622007de026d22257502d5
307a64e335065c00c19e94c1f0a896f2
fe0868c4f40cbb42eb58af121570e64d
f9ab4769b63a571107f2709b5b14e2bc
2b43b8c757c872a19a30dcdcff45e4d8
0aa1f8f36980f3dfe8884f1c6f5d6ddc
a4cca2431aa35bb68581a4e848804598
e5186be781f870377b6542b3cecfb622
2d2b25279ef9365420acec120b98b3b4
149785056bf16a9c6964c0ea4217b42b
931399987a261df91b21856940479634
Malicious iOS frameworks
8c9a93e829cba8c4607a7265e6988646
b3085cd623b57fd6561e964d6fd73413
44bc648d1c10bc88f9b6ad78d3e3f967
0d7ed6df0e0cd9b5b38712d17857c824
b0eda03d7e4265fe280360397c042494
fd4558a9b629babe65a649b57bef20c
1b85522b964b38de67c5d2b670bb30b1
ec068e0fc6ffda97685237d8ab8a0f56
f10a4fdffc884089ae93b0372ff9d5d1
3388b5ea9997328eb48977ab351ca8de
931085b04c0b6e23185025b69563d2ce
7e6324efc3acdb423f8e3b50edd5c5e5
8cfc8081559008585b4e4a23cd4e1a7f
Obfuscated malicious iOS libraries
0b7891114d3b322ee863e4eef94d8523
0d09c4f956bb734586cee85887ed5407
2accfc13aaf4fa389149c0a03ce0ee4b
5b2e4ea7ab929c766c9c7359995cdde0
5e47604058722dae03f329a2e6693485
9aeaf9a485a60dc3de0b26b060bc8218
21a257e3b51561e5ff20005ca8f0da65
0752edcf5fd61b0e4a1e01371ba605fd
489217cca81823af56d141c985bb9b2c
b0976d46970314532bc118f522bb8a6f
f0460bdca0f04d3bd4fc59d73b52233b
f0815908bafd88d71db660723b65fba4
6fe6885b8f6606b25178822d7894ac35
Download links for infected apps
hxxps://lt.laoqianf14[.]top/KJnn
hxxps://lt.laoqianf15[.]top/KJnn
hxxps://lt.laoqianf51[.]top/KJnn
hxxps://yjhjymfjnj.wyxbmh[.]cn/2kzos8?a45dd02ac=d4f42319a78b6605cabb5696bacb4677
hxxps://xt.xinqianf38[.]top/RnZr
Pages distributing Trojans
hxxps://accgngrid[.]com
hxxps://byteepic[.]vip
C2 and configuration storage
C2:
23.249.28[.]88
120.79.8[.]107
23.249.28[.]200
47.119.171[.]161
api.fxsdk.com
Configurations
hxxp://120.78.239[.]17:10011/req.txt
hxxp://39.108.186[.]119:10011/req.txt
hxxps://dhoss-2023.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt
hxxps://gitee[.]com/bbffipa/data-group/raw/master/02WBUfZTUvxrTMGjh7Uh
hxxps://ok2025-oss.oss-cn-shenzhen.aliyuncs[.]com/ip/FM4J7aWKeF8yK
hxxps://file-ht-2023.oss-cn-shenzhen.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://afwfiwjef-mgsdl-2023.oss-cn-shanghai.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://zx-afjweiofwe.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://dxifjew2.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt
hxxps://data-sdk2.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121
hxxps://1111333[.]cn-bj.ufileos[.]com/file/SGTMnH951121
hxxps://tbetter-oss.oss-accelerate.aliyuncs[.]com/ip/CF4J7aWKeF8yKVKu
hxxps://photo-php-all.s3[.]ap-southeast-1.amazonaws[.]com/app/domain.json
hxxps://c1mon-oss.oss-cn-hongkong.aliyuncs[.]com/J2A3SWc2YASfQ2
hxxps://tbetter-oss.oss-cn-guangzhou.aliyuncs[.]com/ip/JZ24J7aYCeNGyKVF2
hxxps://data-sdk.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121
Paths
/sdcard/aray/cache/devices/.DEVICES
